Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

I am writing a subsearch to get a user details as input for someother search but it is not working when i include the subsearch . need help asap

arunsundarm
Engager
‎05-13-2019 01:28 AM

index=* [search index=_internal [| rest /services/authentication/current-context splunk_server=local | fields username | rename username as user ] |top user limit=1 | fields user ]

Tags (1)
0 Karma
Reply

arunsundarm
Engager
‎05-13-2019 01:29 AM

"index=* [search index=_internal [| rest /services/authentication/current-context splunk_server=local | fields username | rename username as user ] |top user limit=1 | fields user ] "

0 Karma
Reply

maciep
Champion
‎05-13-2019 08:41 AM

do you have non-internal indexes with a field named called user that would match the username of the user running this? the subsearch seems to work for me when I just look at internal logs.

0 Karma
Reply

Sukisen1981
Champion
‎05-13-2019 09:34 AM

Bit difficult to understand your requirement, but if you try this , is the first part of your need achieved?
index=_internal | join user type=inner
[| rest /services/authentication/current-context splunk_server=local | fields username | rename username as user |top user limit=1
| fields user]

0 Karma
Reply
Get Updates on the Splunk Community!

Developer Spotlight with Paul Stout

Welcome to our very first developer spotlight release series where we'll feature some awesome Splunk ...

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Deprecation of Splunk Observability Kubernetes “Classic Navigator” UI starting ...

Access to Splunk Observability Kubernetes “Classic Navigator” UI will no longer be available starting January ...